Sugarplum -- spam poison

What is Sugarplum?

Sugarplum is an automated spam-poisoner. Its purpose is to feed
realistic and enticing, but totally useless or hazardous data to wandering
address harvesters such as EmailSiphon, Cherry Picker, etc. The idea is
to so contaminate spammers' databases as to require that they be
discarded, or at least that all data retrieved from your site (including
actual email addresses) be removed.

Sugarplum tries to be very difficult to detect automatically, leaving no
signature characteristics in its output, and may be grafted in at any
point in a webserver's document tree, even passing itself off as a static
HTML file. It can optionally operate deterministically, producing the
same output on many requests of the same URL, making it difficult to
detect by comparison of multiple HTTP requests.

Thursday, 09/25/2003: As has been widely noted
already, ten days ago Verisign (the most prominent domain registrar
in US TLDs, and a chronic abuser of its position) started issuing
wildcard responses in the .com and .net TLDs, presumably trying
to profit off mass-typosquatting by selling ad space and accumulating
statistical data on the traffic to common typo-domains. While it's
an incredibly stupid and greedy idea, this has
an interesting side effect -- because nearly any randomly generated
.com/.net domain now resolves to an IP, poison addresses become
somewhat more effective -- where previously a dual MX/A-record lookup
was required to test for poison, now it requires a comparison against
any IPs served up by Verisign for the wildcards as well, something no
address harvester is/was equipped to do.

Wednesday, 05/07/2003: Something way out of left field: I
ran across an essay
written by a Neil Hennessy in 2001; it seems he was quite taken with
Sugarplum's randomized-language output, which corresponds to some
degree with a particular poetry genre. Describing it, he explains
"Sugarplum confounds the readers fetish for reference by planting
imaginary email addresses, preventing the reader from reaching beyond
language to anchor itself in a proper name from the extralinguistic
world." It also seems
to have been included in a stage performance of some sort. I'm, er,
flattered. :)

Tuesday, 04/01/2003: Here's 0.9.10,
with some features/fixes to the deterministic mode as reflected
across multiple hosts in various ways.

Wednesday, 03/19/2003: The Center for
Democracy and Technology released a report
on a study they performed of how email addresses fall into the hands
of spammers and what happens next. Most of the results are
unsurprising, but they note that in their tests 98% by volume of the
spam observed was sent to addresses harvested from the web (note that
they weren't using test addresses suceptible to dictionary attack).
Notably, there appeared to be a strong correlation between the
popularity (term undefined) of a site on which an address appeared,
and the quantity of times it was then spammed. It'd be really nice to
see some of these high-popularity sites start setting out poison -- to
date this has usually been done only by those with relatively low
traffic and specialized topics.

Friday, 09/27/2002: Sugarplum 0.9.8 is available. This is
a major revision, based on a "two years hence" review of
evolved spammer tactics, countermeasure viability, and
various public feedback. This release is much quicker,
easier to install and maintain, and about half the size.
See the changelog for details.

Thursday, 05/30/2002: I've gotten a couple of inquiries whether
Sugarplum is still being maintained. The answer: nothing new
has been added lately, since Sugarplum is pretty much
feature-complete. There's not much to add. Sugarplum hasn't
fallen to bit-rot; it still runs under the versions of
perl, Apache, Linux and GDBM current as of this
writing.

Thursday, 12/28/2000: Sugarplum 0.8.4 is available for
download. This release incorporates some bugfixes and feature
suggestions, most notably teergrube (tarpit) "bait" addresses
and a new "deterministic" mode.

Sunday, 11/25/2000: Following the 0.8.3 announcement,
Sugarplum was posted
to Slashdot. This yielded lots of suggestions, a few patches, and
a great deal of load for my feeble 128k outbound link. :)

Wednesday, 11/22/2000: Sugarplum 0.8.3 is in the download area.
New features include repeatable Last-Modified headers, dictionary
generated usernames and a few other minor adjustments.

Tuesday, 7/13/1999: Today I happened across a piece of
filtered-out spam in a purge queue commenting on its lists'
immunity to spam poisoners. Excerpt and commentary
here.

Friday, 6/4/1999: Sugarplum 0.8.2 is in the download area. This
version fixes a few minor bugs and adds a few minor features.
Specifics in the changelog.

Tuesday, 6/3/1999: Sugarplum 0.8 receives a shiny "5 penguin"
rating from Linuxberg.
Whee. Glancing at linuxberg's "what's new" page, I note that as
much as a third of the software posted there has received the same
rating.

See a sample of sugarplum's output (don't worry, you won't be attacked
or firewalled)